Security of quantum key distribution with bit and basis dependent detector flaws 
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We consider the security of the Bennett-Brassard 1984 (BB84) protocol for Quantum Key Dis- 
tribution (QKD), in the presence of bit and basis dependent detector flaws. We suggest a powerful 
attack that can be used in systems with detector efficiency mismatch, even if the detector assign- 
ments are chosen randomly by Bob. A security proof is provided, valid for any basis dependent, 
possibly lossy, linear optical imperfections in the channel/receiver/detectors. The proof does not 
assume the so-called squashing detector model. 
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I. INTRODUCTION 

Quantum mechanics makes itpossible to exchange a 
random bit string at a distance [1H4|. In theory, the key 
distribution is secure, even if an eavesdropper Eve can do 
anything allowed by the currently known laws of nature 
[5 8]. 

In practical QKD systems there will always be imper- 
fections. The security of QKD systems with a large vari- 
ety of imperfections has been proved 0, H-[ll|- However, 
a QKD system is relatively complex, and loopholes and 
imperfections exist that are not covered by existing secu- 
rity proofs. A security loophole can be dealt with in two 
different ways: Either you modify the implementation, 
or you increase the amount of privacy amplification [l^ 
required to remove Eve's information about the key. The 
first approach, to modify the implementation, may often 
be done without decreasing the rate of which secret key 
can be generated. It may however increase the complex- 
ity of the implementation, which in turn may lead to 
new loopholes. The advantages of the second approach, 
to increase the amount of privacy amplification, are that 
the apparatus can be kept as simple as possible, and that 
existing implementations can be made secure with a soft- 
ware update. A drawback is clearly the reduced key rate, 
which is considered as a critical parameter in commercial 
QKD systems. 

One of the imperfections to be considered in this pa- 
per, is called detector efficiency mismatch (DEM) [l3l |. 
If an apparatus has DEM, Eve can control the efficien- 
cies of Bob's detectors by choosing a parameter t in some 
external domain. Examples of such domains can be the 
timing, polarization, or frequency of the photons [H, [13] . 

To be more concrete, consider DEM in the time- 
domain. In most QKD systems Bob's apparatus contains 
two single photon detectors to detect the incoming pho- 
tons, one for each bit value. (Equivalently, two different 
detection windows of a single detector can be used for the 
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FIG. 1: An example of mismatched efficiency curves for two 
detectors in the time-domain. The functions 770 (i) and rii{t) 
are the efficiencies of detector and 1, respectively. The pa- 
rameter t can be used to parametrize other domains as well. 



two bit values (time- multiplexed detector).) Normally 
the detectors are gated in the time-domain to avoid high 
dark-counts. This means that electronic circuits are used 
to turn the detectors on and off, creating detection win- 
dows. Different optical path lengths, inaccuracies in the 
electronics, and finite precision in detector manufactur- 
ing may cause the detection windows of the two detectors 
to be slightly shifted, as seen in Fig. [TJ The shift means 
that there exist times where the two detectors have dif- 
ferent efficiencies. 

Systems with DEM can be attacked with a faked-states 
attack |l3]. The faked-states attack is an intercept- 
resend attack where Eve does not try to reconstruct 
the original state sent by Alice, but rather exploit the 
imperfections in Bob's apparatus to hide errors. The 
faked-states attack can be adapted to the Scarani-Acin- 
Ribordy-Gisin 2004 (SARG04), Ekert, and Differential 
Phase Shift Keying (DPSK) protocols, in addition to 
BB84 fl5|. Another attack on systems with DEM is 
the time-shift attack [l^. In this attack Eve just se- 
lects the timing of each qubit randomly, thereby gain- 
ing information about the bit value when Bob announces 
which qubits were received and which were lost. The 
major advantage of the time-shift attack is that it does 
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not introduce any quantum bit error rate (QBER). It has 
been demonstrated experimentaUy that the security of a 
commercially available QKD system can be compromised 
with a time-shift attack 

A frequently mentioned countermeasure for systems 
with DEM is called four-state Bob [H, [H, [H, . In 
a phase-encoded QKD system, Bob chooses from four 
different phase settings {0,7r/2,7r, 37r/2} instead of only 
two {0, 7r/2}. This will randomly assign the bit values 
and 1 to the detectors (or the detection windows, in the 
case of one time- multiplexed detector) for each received 
state. Therefore Eve does not know which detector char- 
acteristics that corresponds to the and 1 detectors. 

However, as mentioned previously [H, [HI Eve may 
use a large laser pulse attack [20l - [23| to read Bob's phase 
modulator settings. In a large pulse attack Eve uses a 
strong laser pulse to measure the reflections from either 
Alice's or Bob's apparatus. The setting of the phase mod- 
ulator may give a signature on the reflections, enabling 
Eve to obtain the phase. 

First assume that Eve is able to read Alice's modu- 
lator settings. Then Eve could obtain bit and/or basis 
information before the pulse enters Bob's apparatus, and 
therefore the security would be seriously compromised. 
Fortunately, Alice's implementation can easily be modi- 
fied to avoid the large pulse attack. A setup with a coher- 
ent laser source contains an attenuator, and moving this 
to the end of the apparatus, as well as introducing an op- 
tical isolator, will put impossible requirements on Eve's 
laser [11]. In "plug-and-play" systems Alice already uses 
a detector to monitor the input of her setup. Therefore 
a large pulse attack can easily be revealed by monitoring 
the intensity of the input. 

In a straightforward implementation of BB84, the 
phase modulator setting in Bob's setup only contains ba- 
sis information. It usually poses no security threat if Eve 
reads the basis, as she will get it during the public dis- 
cussion anyway. One only has to avoid that Eve receives 
the basis information before the pulse enters Bob's ap- 
paratus. This can be taken care of by placing a properly 
long coil of optical fiber at the entrance of Bob's setup. 

However, if the DEM loophole is patched with four- 
state Bob, the large pulse attack is dangerous, because 
it may give Eve information about the detector assign- 
ments. Modifying Bob's setup to avoid large pulse at- 
tacks is not an easy task. The most practical solution 
seems to be a beam splitter or an optical circulator com- 
bined with an intensity detector [23[. Note that the key 
rate will suffer; the the input of Bob's setup is precious 
single photons. Also the setup gets more complex, which 
should be avoided as far as possible, to limit the number 
of "hidden surprises" . It is therefore not obvious whether 
such modifications should be implemented, or whether 
the security should be regained with extra privacy ampli- 
fication. Even though some systems implement four-state 
Bob, several of them lack countermeasures for a strong 
pulse attack on Bob's side. Therefore we will pursue the 
latter solution, i.e., we assume that Eve is able to read 



Bob's phase modulator setting after Bob's detection. 

Security bounds state a unconditionally secure key 
rate, positive a range in some parameter(s). Ideally one 
should be able to prove the converse, namely that with 
the parameter (s) outside this range the QKD-system is 
provable insecure. Unfortunately this is not always sim- 
ple. Usually there is a third range of the parameter(s) 
where it is not known whether the QKD-protocol is se- 
cure. For instance with perfect devices and one-way clas- 
sical communication, the QKD-system is unconditionally 
secure for QBER < 11 % [1], and provable insecure for 
QBER > 14.6 % [2^. Until the gap is closed the security 
bounds represent a lower bound on the secure key rate, 
and the best known attacks represent an upper bound. 

Fung et al. found a security bound for QKD systems 
with DEM 14|. QKD systems with four-state Bob is 
proved to be secure, provided Eve cannot read Bob's 
phase settings with a large pulse attack. The security 
proof assumes the so-called squashing model [§|. 

In this paper we first establish an upper bound for the 
secure key rate of QKD-system with DEM by presenting 
two powerful attacks, one of which even applies to im- 
plementations with four-state Bob (Section II). Then we 
will establish a lower bound for the secure key rate by 
providing a simple security proof of QKD systems with 
general, basis and bit dependent detector fiaws (Section 
III) , generalizing the proof by Fung et al. More precisely, 
any basis dependent, possibly lossy, linear optical imper- 
fections in the channel and receiver are covered by the 
proof. For example, the proof covers mixing between all 
available optical modes, misalignments, mode-dependent 
losses, DEM, and any basis dependence of those effects. 
The proof is formulated for a decoy-state BB84 protocol 
and does not assume a squashing model. Finally, in Sec- 
tion IV we will examine some examples, including DEM, 
DEM with mode mixing, and DEM with misalignment. 

II. SECURITY ANALYSIS: UPPER BOUND 

In this section we analyse two powerful attacks 
on systems with DEM. Such attacks are impor- 
tant because they establish a regime where QKD- 
systems with DEM is provable insecure. To ana- 
lyze the attacks, for the moment we define rj — 
max {mint 771 (i)/77o(t), mint 770 (i)/?7i(t)} G [0,1], repre- 
senting the smallest efficiency ratio available for both bit 
values. For individual attacks the secret key rate is given 
by [T^ . [25! (given one-way classical communication) 

R = I{a: (3)-I{a:e), (1) 

where /(• : •) denotes mutual information and a, /3, and 
e represent Alice's, Bob's and Eve's bits. 

In the previous analysis of the faked-states attack [l^ , 
the attack was limited by the introduced QBER rather 
than Eve's insufficient knowledge about the key. By at- 
tacking only a fraction of the bits with the faked-states 
attack one can compromise the security for even higher 
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values of rj. The other fraction could be attacked with 
the time-shift attack which introduces no QBER. 

To tailor E, the QBER measured by Alice and Bob, 
the fraction r attacked by the faked-states attack is given 

by 



E 



, 1 + 37? 



(2) 



where ii^fs = 277/(1 + 377) is the QBER introduced by 
the faked-states attack. The mutual information between 
Alice and Eve is given by 



I{a : e) = rl{a : e)^ + {1 ~ r)I{a : e)t 



1-E-hi 



1 + 77' 



l-'-±^E 
277 



(3) 



where r is given in ([5]) and /(a : e)fs = 1 — E and 
I{a : e)ts = 1 — h(r]/(l + 77)) denote the mutual infor- 
mation in the faked-states and the time-shift attack, re- 
spectively, as given in Refs jl^! 13- is the binary 
entropy function. Since Alice and Bob does not know 
how each bit is attacked, I{a : /?) is simply given by 
1 — h{E). The key rate ([TJ thus becomes 



R = E + h{ 



V 



l + T] 



l-'-±^E]-h{E). (4) 



Without considering DEM, Alice and Bob think that the 
key is secure when QBER < 11% (symmetric protocols 
with one-way classical communication Q). Solving the 
equality R = 0, where R is given by (jj]), and setting 
E = 0.11 gives 77 = 0.215. 

The above combined attack is implementable with cur- 
rent technology. Up to 77 = 0.160 it represent an upper 
bound on the secure key rate (see Fig. However with 
four-state Bob, the attack is impossible since the faked- 
states attack requires knowledge of the bit-detector map- 
ping before Bob receives the pulse. 

For higher values of 77 there exists an even more efficient 
attack. The optimal individual attack in the absence of 
imperfections is known [24l] . Here Eve lets the qubit from 
Alice interact with a probe. After the basis is revealed. 
Eve's probe is in one of two non-orthogonal states 2^1 



l^o) - |0) 

1^1) = cos</j|0) -I- sini^|l), 
where (f is related to the QBER by 



cos if 



1 - 2E. 



(5a) 
(5b) 

(6) 



Eve has to separate between |^o) : corresponding to the bit 
value at Alice, and corresponding to the bit value 
1. The two states occur with an a priori probability 1/2. 

In the presence of DEM, we improve the attack as fol- 
lows: In addition to using a probe. Eve launches a time- 
shift attack. If Bob announces receipt, the probabilities 
of the two bit values is now {l/Il + ??) > ??/ (1 + v)} ac- 
cording to the time-shift attack [IQ]. Then after the pub- 
lic discussion. Eve has to separate between the states ^ 



with the a priori probabilities {1/ (1 -I- 77) , 77/ (1 -I- 77)}. 
The optimal measurement is projective [261] . and the 
probability p of Eve measuring the correct bit value is 
found to be 
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where (p is related to the QBER as in Eq. ([5]). 

Since Eve has probability p to have the same bit value 
as Alice, I{a : e) is simply 1 — h{p). I{a : (3) is given 
by 1 — h{E). The key rate ([TJ for this improved optimal 
individual attack is thus 



R = h{p) - h{E), 



(8) 



where p is given by ^ . 

Without considering DEM, Alice and Bob think that 
the key is secure when QBER < 11%. Solving the equal- 
ity i? = 0, where R is given by ([5]), and setting E = 0.11 
gives 77 — 0.252. In a commercial QKD system 77 was 
found to be approximately 0.25 (see Fig. 3 in [13]) [ssl ]. 
Therefore, this attack could be used to compromise the 
security of such QKD systems. Note that the attack 
does not require the bit-detector mapping until the post- 
processing step. Therefore systems patched with four- 
state Bob are vulnerable to the attack combined with a 
large pulse attack. 

Note that the both attacks represent a substantial im- 
provement compared to t he p reviously published attacks 
which require 77 < 0.066 [13] • Fig. [3| shows the range of 
E, rj which compromises security, and compares the two 
attacks. 



III. SECURITY ANALYSIS: LOWER BOUND 

In this section we will prove the security of the BB84 
protocol in the presence of bit and basis dependent de- 
tector flaws, and establish the secure key generation rate. 
We will prove the security in a general setting, lifting 
the so-called squashing model assumption. That is. Eve 
may send any multimode, photonic state, and Bob uses 
practical threshold detectors. Alice may use a single- 
photon source or phase-randomized faint laser pulses; in 
the latter case, Alice may use decoy states [27l-l29l] to 
estimate photon-number dependent parameters. Alice's 
source is otherwise assumed perfect: It emits an inco- 
herent mixture of photonic number states, randomly in 
logical modes "0" or "1" , randomly in the X or Z bases, 
with no correlation between the bits, bases, and photon 
number statistics (30j . 

The state space accessible to Eve consists of the Fock 
space associated with all photonic modes supported by 
the channel. The channel and receiver is modeled as a 
basis-dependent quantum operation, Cz and Cx , in front 
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of two threshold detectors. Here Z and X denote the 
bases chosen by Bob. Since reduced detector efficiencies 
can be absorbed into the quantum operations, we can let 
Bob's threshold detectors have perfect efficiency. Dark 
counts are attributed to Eve, and for double click events. 
Bob assigns a random value to his bit 0, • 

In our security proof, the key condition of Cz and Cx 
is that they are passive, in the sense of 



|0) ^ |0), 



(9) 



where |0) denotes the vacuum state of all modes. In other 
words, vacuum incident to all modes gives vacuum out. 
This condition is rather general; it includes all linear and 
nonlinear optical transformations of the modes supported 
by the channel. 

For simplicity, however, we will restrict ourselves to 
linear optical imperfections. Bob's two detectors may 
still have different efficiencies, depending on the time, 
frequency, and/or polarization of the incoming states. 
Moreover, there may be imperfections in the channel and 
Bob's receiver. This can be described as arbitrary, square 
matrices Cz and Cx, acting on the channel modes after 
Eve's intervention. The linear-optical property of Cz 
and Cx is ensured from the fact that they are classi- 
cal transformations (or transfer matrices) operating on 
the physical, photonic modes (e.g. temporal modes and 
polarization modes) rather than the total Fock space of 
the modes. Each mode can contain any photonic state 
such as number states or coherent states. Although Cz 
and Cx have finite dimension, the associated, induced 
quantum operations Cz and Cx operate on an infinite di- 
mensional Fock space. We use the convention that Bob's 
basis selector is included in Cx (see Subsection IIV Ap . 

With singular value decomposition, we can write 



Cz = UzFzVzC, 



(10) 



where Uz and Vz are unitary operators, and Fz is a 
diagonal, positive matrix. In addition to the usual singu- 
lar value decomposition, we have included an extra ma- 
trix factor C, governing losses and imperfections in the 
channel and/or receiver, independent of the basis chosen 
by Bob. The matrix C may for example describe loss 
of the channel and time-dependent detector efficiencies 
common for the two detectors. The operator C can be 
absorbed into Eve's attack, thus it never appears in the 
following analysis. The unitary operators Uz and Vz 
mix the modes together. For example, Vz is the result 
of sending the modes through a network isomorphic to 
the type in [3ll |. The diagonal matrix Fz represents the 
different efficiencies of the two detectors (in addition to 
basis-dependent absorptions in the receiver) , and satisfies 

= diag [nzoiti) Vzi{ti) Vzoih) Vzi{t2) • ■ ■] ■ 

(11) 

The parameters tj,j = 1, 2, . . . label different modes. For 
example, tj may correspond to different temporal modes. 
In the absence of Uz and Vz, Vzoitj) and rjziitj) can 
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FIG. 2: a) Actual protocol, b) Estimation of Alice's virtual 
X-basis measurement, c) Simplification of Fig.Os from Bob's 
point of view, d) Actual parameter estimation in the A-basis. 



be viewed as the efficiencies of detector and 1 in the 
Z-basis. Otherwise the efficiencies r]za{tj) and rjziitj) 
do not necessarily correspond to the detectors and 1, 
respectively, nor to detection time tj. However, the nota- 
tion is selected as in the special case for intuition. Note 
that Fz may be represented as a collection of beam split- 
ters with transmittivities r]zo(ti), ?/zi(ii), and so forth. 
Then each mode is incident to its own beam splitter, and 
the vacuum state is sent into the other input. 

The resulting model is shown in Fig. [2^. In the model 
we have included an extra measurement, giving infor- 
mation to Eve whether the total state is equal to the 
vacuum |0). While this information actually comes from 
Bob, it is convenient to let Eve obtain this information 
from a separate measurement. Note that this extra vac- 
uum measurement does not disturb Bob's measurement 
statistics for any basis choice. 

We will prove security using Koashi's argument (sol.ls^. 
[33I] which we briefiy summarize here. In the BB84-like 
actual protocol Alice generates a large number of bipar- 
tite states, where her part consists of a qubit which she 
measures randomly in the X- or Z-basis. The other part 
of the pairs is sent to Bob via Eve. Bob measures what he 
receives from Eve randomly in two different bases, which 
we will refer to as the "A-basis" or the "Z-basis". For 
example, for polarization encoding Bob's two measure- 
ments should ideally correspond to threshold detectors in 
horizontal/vertical or ±45° polarization bases, with dou- 
ble clicks as random assignment. Alice and Bob discard 
all events where they used incompatible basis. Further 
he publicly announces receipt if he receives something 
different from vacuum. Let Qx and Qz be the fractions 
of non- vacuum results in each basis. Alice and Bob com- 
pare their X-basis measurement results to estimate Qx 
and the error rate Ex- The N states measured in the 
Z-basis yield NQz non- vacuum results. For these NQz 
events Alice's measurement result is the raw key. 

The required amount of privacy amplification can be 
found as follows: imagine a virtual experiment where Al- 
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ice measures the qubits for the raw key in the X-basis 
instead of the Z-basis. Bob tries to predict the resuh of 
AHce's virtual X-basis measurement. Bob does not per- 
form such a prediction in practice; thus in this prediction 
we may let Bob do everything permitted by quantum 
mechanics, as long as he does not alter the information 
given to Eve. Let i7virtx(^|-S = /i) denote the entropy 
of Alice's virtual X-basis measurement result, given mea- 
surement result fj, in Bob's prediction. It turns out that 
HvirtxiA\B = /i) can be bounded using Ex and Qx, so 
assume that i?virtx(^|S = fi) < H. Since the uncer- 
tainty about Alice X-measurement is less than H, the 
entropic uncertainty relation [s^] suggests that any pre- 
diction (including Eves prediction) of the measurement 
result of Alice Z-basis measurement will have at least 
NQz — H entropy. Thus Alice can extract NQz — H 
bits of secret key. Rigorously, this rate is found by con- 
certizing the privacy amplification procedure by universal 
hashing. Although Koashi's original proof is formulated 
with an obsolete security definition based on accessible 
information, the proof can easily be adapted to a com- 
posable security definition [35-37]. 

Bob must ensure that he has an identical raw key. 
Since it does not matter to Eve what Bob does (as long as 
he gives Eve the same information) , he measures the bits 
for the raw key in the Z-basis. Alice and Bob compares a 
subset of the raw key to find the error rate Ez (consum- 
ing some of the raw key, but negliable in the asymptotic 
limit), and Alice sends Bob NQzh{Ez) bits of error cor- 
recting information consuming NQzh(Ez) bits of pre- 
viously established secret key. In the asymptotic limit 
N —i' oo the net secure key generation rate becomes 



Rz>l- 



H 



-h{Ez). 



(12) 



Note that H is needed to ensure that Alice's key is 
secret, and this only requires AT-basis parameters to be 
estimated by Alice and Bob. Thus there is no need to in- 
voke the classicalization argument regarding statistics 
of measurements involved in the simultaneous estimation 
of Ex and Ez- 

For his prediction. Bob will use the virtual measure- 
ment in Fig. [5)3. Bob first applies the unitary operator 
U^, followed by the filter Fz, and the unitary opera- 
tor V^. Then he applies the operator Cx = UxFxVx- 
Finally he performs an X-basis measurement. Note that 
we retain Eve's vacuum measurement and all components 
preceding it, so Eve obtains the identical information as 
in Fig. [2^. The matrix Fz is diagonal, and is given by 



FzFz = ^/r]zI, 



where 



Vz 



mm{f]zt{tj)}. 

2J 



(13) 



(14) 



Similarly to Fz, the filter Fz is implementable by beam 
splitters acting separately on each mode. The largest 



element of \Fz\'^ is 1, while the smallest element is 
■qz/ uiayiij{r]zi{tj)}. 

To analyze how well Bob performs in his prediction, 
we will now simplify the system in Fig. [2b to deter- 
mine Bob's measurement statistics. To do this, we 
introduce an extra vacuum measurement right before 
Bob's detectors, assuming nobody records the outcome. 
Clearly, Bob's measurement statistics are not altered 
by the presence of this extra measurement. The filter 
UxFxVxV^FzUl obeys © , being a hnear optical trans- 
formation. As a result, we show in the appendix that the 
output state, after the extra vacuum measurement, is in- 
dependent of the presence of Eve's vacuum measurement 
(i.e., the first vacuum measurement, after Uz in Fig.H)). 
Thus, to estimate Bob's measurement statistics, we can 
remove Eve's vacuum measurement. We end up with the 
simplified system shown in Fig. [Jt. Note that the sim- 
plified system is identical to the system in Fig. [2Jl, the 
actual protocol when Bob has chosen the A"-basis, ex- 
cept for one thing: There is an extra, mode-independent 
absorption rjz in the channel. This fact will be used for 
estimating the performance of Bob's prediction. 

To prove the security also for the multiphotonic case, 
we use the parameters g^'* and assumed known from 

the decoy state protocol, g^'' is the fraction of Bob's X- 
basis non- vacuum events that originate from single pho- 
tons at Alice, e^'' is the QBER for single photon events 
in the X-basis (only single photons generate secure key) . 
Consider the prediction in Fig. ^jp-c. Let NQz be the 
number of states in the raw key. In a worst case, the num- 
ber of detection events that originate from single photons 
at Alice, will be only rjzQx^ QxN , due to the filter 
(note that rjzQx < Qz)- For each of these events Bob's 
entropic uncertainty about Alice's bit is (asymptotically) 

h{e"^*), where e^''* is the associated error rate. We 

note that e-^ is not measured in the actual protocol; 
it will rather be estimated below. For the events lost in 
the filter y^rj^I, Bob's entropic uncertainty about Alice's 
bit is 1, since he has no detection result. Summarizing, 
Bob's entropic uncertainty about Alice's QzN bits (cor- 
responding to the number of detection events in Fig. [5^) 

is at most H = QzN - rizq^xQxNll - /i(e^^*)]. In our 
analysis we have ignored the events associated with Al- 
ice sending the vacuum state [30] ; their contribution will 
only give a marginally larger rate. From (fT^ the secure 
key rate becomes 



Rz = -h{Ez) + Vzq'x'^Qx/Qz 1 - h{e 



(15) 



It remains to bound the parameter e-^ , which is the 
QBER for single photon events in the estimation Fig. ^p- 
c. Recall that is the estimated QBER for single pho- 
ton events in the X-basis, Fig. [2jl. The only difference 
between the setup in Fig. ^ and Fig. [2ll is the filter 
^Jrj ^I, which represent identical absorption in all modes. 
However, the removal of detection events by this filter 
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is dependent on the photon number, so e)^ 7^ e)^ in 

general [s^. To bound e^''* we use the fact that the 
filter only alter the detection statistics by removing de- 
tection events. (An exception occurs for the few coinci- 
dence counts; these can be taken into account easily.) In 
a worst case, 



0.11 



-X 



— < e^') 



(16) 



Putting these results together, we obtain the secure key 
generation rate 



Rz>-h{Ez) + mqx^QxlQ 



1 



(17) 



A similar result holds when Alice and Bob have chosen 
the X-basis in the actual protocol: 



Rx > -h{Ex)+Vxq'z^Qz/Qx 



1 



H^z^/Vx] 



(18) 



Ineqs. ((T71) and ^TE\\ are valid for any basis and bit de- 
pendence of the channel and receiver/detectors, as long 
as the imperfections {Cz and Cx) can be described as 
possibly lossy, linear optical operators acting on the pho- 
tonic modes. 

To compare our result (fTTj) to that of Ref . , we let 
Alice only send single photons. The rate then becomes 



R>-h{E)+'n[l~h{E/ri)], 



(19) 



where we have assumed symmetry between the bases, and 
therefore omitted the Z and X subscripts. The rate (fT^ 
coincides with the rate found in [ijj (see Subsection llVBI 
for a discussion on how to identify ij). Note, however, 
that is a stronger result in the sense that it applies 
to any basis-dependent linear optical imperfections, not 
only the case where Uz,x — I, and Vz.x do not mix 
modes associated with different logical bits. Also it does 
not require the squashing model assumption. 

Under the assumption that Eve only sends single pho- 
tons, it is easy to realize that (fT6|) can be replaced by 

^x 



e^-*. Then (jTH]) is improved to 

R > -h{E) + ri[l - h{E)]. 



(20) 



Fig. |3] shows the security bounds resulting from 
and (pn|) when the right-hand side is set equal to zero. 



IV. EXAMPLES 
A. DEM in the time-domain 

Consider the case where Bob's detectors have time- 
dependent efficiencies, as indicated in Fig. [TJ We assume 
that the efficiencies are independent of the basis chosen 
by Bob {Fx = Fz). The channel and receiver are oth- 
erwise assumed perfect, except for a background loss C. 




FIG. 3: Security bounds when Alice sends single photons 
{q'P — q^-^ = 1), assuming symmetry between the bases. 
The bounds are found by setting the associated key genera- 
tion rates equal to zero. Solid line: General security bound, 
as resulting from (|19p . Dash-dotted line: Security bound (I20p 
assuming Eve sends single photons. Dashed line: The im- 
provement of the optimal individual attack from Section |TI1 
as resulting from ^ . Dotted line: The combined attack from 
Section|ITl as resulting from Q. For the attacks it is assumed 
that the DEM is equal for the two bit values. The dark grey 
region is proved to be insecure while the white region is proved 
to be secure with extra privacy amplification. The light grey 
region should be assumed insecure. 



The background loss may be mode dependent, but inde- 
pendent of the basis chosen by Bob. 

With these assumptions, we may take Cz = FzC and 
Cx = FxHC = FzHC, where H is a block-diagonal 
matrix consisting of 2 x 2 Hadamard matrices in- 
terchanging the bases Z and X for each time: 



= diag H(2) H{2) j 



(21) 



To maximize the secure key rate, as much as possible of 
the detector flaws should be absorbed into C. Therefore, 
we factorize 



where 



F' 



.12 



Fz = FF', 



diag[77'(ii) 77'(ii) i{t2) v'ih). 



(22) 



(23) 



and r?'(ij) = max{rizo{tj)i''lzi{tj)}- Noting that F' and 
H commute, we can absorb F' into C. The remaining 
diagonal matrix F then has the role of Fz (and Fx) in 
the security proof. The parameter r]z = rjx to substitute 
into the secure key generation rate p7|) is therefore the 
minimum diagonal element of \F\'^: 



Vzo{t) Vziit) 



77z = mmmm, 

* KVzi{t) rjzoW 



(24) 
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B. DEM and restricted mode mixing 

Consider the case treated by Fung et al. 14], where 
there is no mixing between modes associated with differ- 
ent logical bits. Then Cz can be written in block diagonal 
form 



Cz - 



Co 
Ci 



provided we reorder the modes as in 

= diag [?7zo(ii) ?yzo(i2) •■■ Vziih) Vziih) 



(25) 



(26) 



to be compared to pT|) . As in Ref. ^Ij] we assume basis 
independence in the sense 



Here, 



Cx = 



H = 



Co 
Ci 



HC 



V2 



I I 

I -/ 



(27) 



(28) 



with the present choice of mode order. We assume that 
Cz is nonsingular. (Otherwise, the secure key generation 
rate would be zero.) 

We should associate as much as possible of the im- 
perfections to the common channel operator C. Let the 
singular- value decomposition of CgCj"^ be usv, where u 
and V are unitary matrices, and s is diagonal and pos- 
itive. Let be the maximum of maxs and maxs^^. 
Factorize 



Cz 
Defining 



A 



,1/2 











s-i/2utCo 
s^^^vCi 



C 



s-^/^u^Co ■ 
s^/^vCi 



C. 

(29) 

(30) 



and noting that s ^^^u^Cq = s^^^vCi, we have C'H = 
HC This gives 



Cz = X 
Cx = \ 



us^/^ 

«ts-l/2 

Usl/2 

wts-1/2 



C'C, 
HC'C. 



(31a) 
(31b) 



Similarly to the reasoning in Section III, Bob applies a 
virtual filter to transform Cz into an operator propor- 
tional to Cx- Applying 



i;ts-i/2 



4 



S-l/2ut ' 

s^/^v 



the operator Cz is transformed into Cx/A^. Following 
Section III, ^ — 1/A^. This gives 



= min(mins, mins ^). 



(32) 



Equivalently, r] is the minimum value of the eigen- 
values and inverse eigenvalues of CoCi^{CoCi^y = 
Co{ClCi)'^Cl. This 77 should be substituted into ^ 
to find the secure key generation rate. 

The parameter 77 can be measured as follows. For sin- 
gle photon input in a given superposition tp of logical "0" 
modes, the probability of a click in detector is given by 
V'^CqCoV'- Similarly, we may use the identical superpo- 
sition V' of "1" modes to find the detection probability 
of detector 1. Note that tp denotes a classical field vec- 
tor, where each element corresponds to a separate mode. 
The parameter 77 turns out to be equal to the minimum 
detection probability ratio 

. / . ^^ClCo^ . fclChA 
11 = mm mm i , mm r . ( 33 1 

In other words, 77 is given by the minimum efficiency mis- 
match ratio for all superpositions of input modes. 

To see this, let us'^u' be the spectral decomposition 
of CoiClCiy^Cl Then we have C^^'' {ClCi)C^^ = 
us~'^u' , and 

V'tCjCiV' ^ iP'^Co'^ClCiCo'j;' 

_ V.^t^tg-2^^/ (34) 

Combining ()32|) and ([34| gives the desired result. 

C. DEM and misalignments 

In addition to the detector efficiency mismatch in 
Subsection IIV Al suppose that Bob's detectors are mis- 
aligned. The misalignments may be dependent on Bob's 
choice of basis, and are described by unitary matrices Vz 
and Vx- This gives the channel operators Cz = FzVzC 
and Cx — FxVxHC. Assuming no coupling between 
different temporal modes (no multiple refiections), Vz 
and Vx are block-diagonal matrices. For example. 



Vz = diag 



vl'^ V^'^ V^'^ 



(35) 



(2) 

where are unitary 2x2 matrices. Here we have used 
the same order of modes as in the original definition (|11|) . 
Taking Fx — Fz and factorizing as in Subsection IIV A) 
we find that the parameter rjz = rjx again is given by 
(I24p . The secure key generation rate is then found from 

If there is coupling between modes associated with dif- 
ferent t's (in addition to the misalignment), we must re- 
tain the general definition of ijz in (|14p . For unnormal- 
ized detection efficiencies, this definition can be rewritten 



inini^t{7?zi(t)} 
maxi,t{77zi(i)}' 



(36) 
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Eq. is obtained by absorbing the maximum detector 
efficiency maxi^tivziit)} into C. Omitting the require- 
ment Fx = Fz, (|36p must be rewritten as 



Vz 



max (maxj_t{77zi(i)}, maxi^rixiit)}) ' 



(37) 



bases. For detection efficiency mismatch in the time- 
domain the test pulses should be sufficiently short, in 
order to capture all details. An upper bound of the pa- 
rameter S may be estimated from the (worst case) mul- 
tiple reflections and misalignment's that may happen in 
the system. 



D. Characterizing DEM of Bob's receiver 



DISCUSSION AND CONCLUSION 



To estimate the secure key generation rate, Bob must 
characterize his receiver to find rjz and rjx (or rj = 
iimi{r]z,rix})- We note that rather different results are 
obtained dependent on whether or not there are coupling 
between different modes. For the case of DEM in the 
time-domain, since it is difficult to eliminate multiple re- 
flections in Bob's receiver, a conservative approach is to 
use (I37l) . 

For the case with gated detectors, the efficiencies ap- 
proach zero at the edges of the detection window. When 
there are coupling between different temporal modes, the 
resulting key generation rate will therefore be close to 
zero. Even if no such coupling is present, the key gener- 
ation rate may approach zero, since at the edges of the 
detection window the efficiency ratio may be very small. 
(Although the average detection probability at the edges 
may be small. Eve may compensate this by replacing the 
channel by a more transparent one, or by increasing the 
power of her pulses [l^.) A possible solution may be 
that Bob monitors his input signal at all times, to en- 
sure that Eve does not send photons outside the central 
part of the window. Then rj can be obtained by measur- 
ing the minimum and maximum detection efficiency for 
(superpositions of) modes with times inside this central 
part. 

Such a measurement may be cumbersome due to many 
degrees of freedom of the possible inputs. Alternatively, 
one could specify the maximum possible amount of mode 
coupling in the system, and use this information to lower 
bound r/. Suppose that the maximum (power) cou- 
pling from one mode j to all other modes is 6. Then 
the unitary matrix Vz satisfies J^a^j l^uP < ^ ad- 



dition to J2i\^i3 



1, omitting the subscript Z for 



l^yf (l/il^ - l/jf)- Hence, the elements 



clarity. Let \fj\ be the jth diagonal element of Fz- 
By measuring the detection efficiency when photons are 
incident to the jth mode, we obtain X^il^jPl/iP ^ 

\fj\' + E, 

l/jp can be found from the detection efficiency as a 
function of j of the incident mode, up to an error 

is therefore 



In this work we have proved the security of BB84 in the 
presence of any basis dependent, possibly lossy, linear op- 
tical imperfections in the channel and receiver/detectors. 
The security proof thus covers a combination of several 
imperfections: Detection efficiency mismatch, misalign- 
ments, mixing between the modes, multiple reflections, 
and any basis dependence of those effects. Contrary to 
most previous security proofs, this proof does not require 
a squashing detector model. 

A specific implementation of a QKD system may have 
several different imperfections. Ideally there should be 
a universal security proof with a set of parameters that 
cover all (worst case) imperfections and tolerances of the 
equipment. We have made a step towards this goal by 
describing generic imperfections at the detector, and by 
providing a compact proof, which may hopefully prove 
useful for an even more general description. 

We have established an upper bound for the secure 
key rate by providing two powerful attacks. One of the 
attacks may be applied to systems even with the four- 
state Bob patch, and this demonstrates the seriousness 
of the detection efficiency loophole. This attack is based 
on a combination of an optimal individual attack, a time 
shift attack, and a large pulse attack. As a consequence 
of such types of attacks, the key generation rate may not 
increase substantially as a result of the four-state Bob 
patch. A possible countermeasure is to use the general 
bounds (flT)) and (fTS)) for estimating the required amount 
of privacy amplification. 
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Vijl'^ (l/iP - l/iP) < S. A lower bound of 7] Appendix A: Properties of vacuum measurement 



V > 



mint basis. bit (detection efficiency) — S 
maxt^basis. bit (detection efficiency) + S 



(38) 



The required measurement is to obtain the detection ef- 
ficiency as a function of t and logical bit value for both 



Let {\n)} be an orthonormal basis for a state space 
of interest. We refer to the state |0) as the "vacuum 
state of all modes" , although it could in principle be any 
fixed, pure state. A vacuum measurement is a projective 
measurement with projectors P = |0)(0| and I — P. We 
claim that if J- is any quantum operation satisfying 
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that the unitary transformation transforms 



J^(|0)(0|) = |0)(0|, 



(Al) 



the presence of a vacuum measurement before T does 
not change the statistics and output state of a vacuum 
measurement after J^, see Fig. U] 



T 



Vacuum? 



Vacuum I 



T 



Vacuum? 



FIG. 4: The statistics and output state of the vacuum mea- 
surement after is not changed by the introduction of a 
vacuum measurement before T. 

This result can be proved by using the fact that any 
quantum operation can be viewed as a unitary transfor- 
mation on an extended state space, with a standard state 
|0)aux as auxiUary input. Due to (|Aip . we can assume 



|0) ® |0), 



|0) ® |0), 



(A2) 



with no loss of generality. 

Consider the right-hand side of the identity (Fig. 
Let Paux = |0)aux(0|aux- A vacuum measurement at the 
input can now be described as a projective measurement 
with P (g) Paux and I — P (E) Paux, since the auxiliary in- 
put is fixed at |0)aux- Clearly, it does not matter if we 
measure the auxiliary output with projectors Paux and 
/ — Paux- In total, the extended measurement at the out- 



put is described by projectors P ( 



Paux, P' 



(/ - Pa, 



{I - P)(g> Paux, and (/ - P) (g) (/ - Paux)- Transforming 
the projector P (g) Paux backwards, we find that the cor- 
responding projector at the input is P (g Paux- In other 
words, the extended vacuum measurement at the output 
contains the vacuum measurement at the input, so the 
latter is redundant. 
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